Note: This is an archival copy of Security Sun Alert 201391 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com
as Sun Alert 1001064.1.

Security Vulnerability in the in.telnetd(1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host

CategorySecurity

Release PhaseResolved

ProductSolaris 10 Operating System

Bug Id
6523815

Date of Workaround Release12-FEB-2007

Date of Resolved Release13-FEB-2007

Impact

A security vulnerability in the in.telnetd(1M) daemon shipped with Solaris 10 may allow a local or remote unprivileged user who is able to connect to a host using the telnet(1) service to gain unauthorized access to that host by connecting as any user on the system, allowing them to execute arbitrary commands with the privileges of that user. This would include the root user (uid 0) if the host is configured to accept telnet logins as the root user.

Note: There is at least one WORM in existence that is making use of this exploit to compromise system integrity.

If remote root logins are disabled, the impact of this issue will be limited to users other than root.

Remote root logins are disabled if the file "/etc/default/login" contains a line that begins with 'CONSOLE'. This can be seen using the grep command as shown below:

$ grep CONSOLE /etc/default/login
CONSOLE=/dev/console

If this line has been commented out by inserting a '#' at the beginning, as in the following example:

#CONSOLE=/dev/console

or if there is no line containing the word 'CONSOLE', then this issue will also apply to the root user.

See login(1) for more information about the /etc/default/login file.

Symptoms

Depending on the manner in which this issue has been exploited, the output from commands such as last(1) (which display information about login and logout activity), may show unexpected logins to the system. Using the '-a' flag with the last(1) command will show the hostname associated with these logins.

Workaround

To workaround this issue, the telnet service can be disabled as in the following example (Note that this will remove the functionality of the in.telnetd daemon on that host):

# svcadm disable svc:/network/telnet:default

Note: If instead of disabling the service, removal of the service is being considered, then please first read Sun Alert 102799:

"Synopsis: svc.startd(1M) May Core Dump While Removing a Service, Causing patchrm(1M) to Terminate and Leave the System Unbootable"

In addition, it is also possible to uncomment (or add) the 'CONSOLE' line in the "/etc/default/login" file so that it looks similar to the following:

CONSOLE=/dev/console

However, this will only prevent unauthorized access to the root account; other user accounts will still be affected by this issue.

Until patches can be applied, you may wish to block access to the telnet service from untrusted networks such as the Internet. Use a firewall or other packet-filtering technology, such as ipfilter, which is shipped with Solaris 10, to block the appropriate network ports.Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports.

Resolution

This issue is addressed in the following releases:

SPARC Platform

Solaris 10 with patch 120068-02 or later

x86 Platform

Solaris 10 with patch 120069-02 or later

Note: These patches have been created with a tag that says that a reboot is required after installation. However, this is incorrect (see Bug 6524404). Future Solaris 10 telnetd(1M) patch revisions have had this tag removed.